8000 minor #46062 [HtmlSanitizer] Add HtmlSanitizerConfig::withMaxInputLen… · symfony/symfony@ea96c13 · GitHub
[go: up one dir, main page]

Skip to content

Commit ea96c13

Browse files
committed
minor #46062 [HtmlSanitizer] Add HtmlSanitizerConfig::withMaxInputLength() (nicolas-grekas)
This PR was merged into the 6.1 branch. Discussion ---------- [HtmlSanitizer] Add HtmlSanitizerConfig::withMaxInputLength() | Q | A | ------------- | --- | Branch? | 6.1 | Bug fix? | no | New feature? | no | Deprecations? | no | Tickets | Fix ##44798 (review) | License | MIT | Doc PR | - Commits ------- 070f2cf [HtmlSanitizer] Add HtmlSanitizerConfig::withMaxInputLength()
2 parents a25483f + 070f2cf commit ea96c13

File tree

5 files changed

+27
-5
lines changed

5 files changed

+27
-5
lines changed

src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2243,6 +2243,10 @@ private function addHtmlSanitizerSection(ArrayNodeDefinition $rootNode, callable
22432243
->info('Unregisters custom attribute sanitizers.')
22442244
->scalarPrototype()->end()
22452245
->end()
2246+
->integerNode('max_input_length')
2247+
->info('The maximum length allowed for the sanitized input.')
2248+
->defaultValue(0)
2249+
->end()
22462250
->end()
22472251
->end()
22482252
->end()

src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2734,6 +2734,10 @@ private function registerHtmlSanitizerConfiguration(array $config, ContainerBuil
27342734
$def->addMethodCall('withoutAttributeSanitizer', [new Reference($serviceName)], true);
27352735
}
27362736

2737+
if ($sanitizerConfig['max_input_length']) {
2738+
$def->addMethodCall('withMaxInputLength', [$sanitizerConfig['max_input_length']], true);
2739+
}
2740+
27372741
// Create the sanitizer and link its config
27382742
$sanitizerId = 'html_sanitizer.sanitizer.'.$sanitizerName;
27392743
$container->register($sanitizerId, HtmlSanitizer::class)->addArgument(new Reference($configId));

src/Symfony/Bundle/FrameworkBundle/Resources/config/schema/symfony-1.0.xsd

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -850,6 +850,7 @@
850850
<xsd:attribute name="force-https-urls" type="xsd:boolean" />
851851
<xsd:attribute name="allow-relative-links" type="xsd:boolean" />
852852
<xsd:attribute name="allow-relative-medias" type="xsd:boolean" />
853+
<xsd:attribute name="max-input-length" type="xsd:positiveInteger" />
853854
</xsd:complexType>
854855

855856
<xsd:complexType name="element-option">

src/Symfony/Component/HtmlSanitizer/HtmlSanitizer.php

Lines changed: 3 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -25,18 +25,16 @@
2525
final class HtmlSanitizer implements HtmlSanitizerInterface
2626
{
2727
private HtmlSanitizerConfig $config;
28-
private int $maxInputLength;
2928
private ParserInterface $parser;
3029

3130
/**
3231
* @var array<string, DomVisitor>
3332
*/
3433
private array $domVisitors = [];
3534

36-
public function __construct(HtmlSanitizerConfig $config, int $maxInputLength = 20000, ParserInterface $parser = null)
35+
public function __construct(HtmlSanitizerConfig $config, ParserInterface $parser = null)
3736
{
3837
$this->config = $config;
39-
$this->maxInputLength = $maxInputLength;
4038
$this->parser = $parser ?? new MastermindsParser();
4139
}
4240

@@ -64,8 +62,8 @@ private function sanitizeWithContext(string $context, string $input): string
6462
$this->domVisitors[$context] ??= $this->createDomVisitorForContext($context);
6563

6664
// Prevent DOS attack induced by extremely long HTML strings
67-
if (\strlen($input) > $this->maxInputLength) {
68-
$input = substr($input, 0, $this->maxInputLength);
65+
if (\strlen($input) > $this->config->getMaxInputLength()) {
66+
$input = substr($input, 0, $this->config->getMaxInputLength());
6967
}
7068

7169
// Only operate on valid UTF-8 strings. This is necessary to prevent cross

src/Symfony/Component/HtmlSanitizer/HtmlSanitizerConfig.php

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -92,6 +92,8 @@ class HtmlSanitizerConfig
9292
*/
9393
private array $attributeSanitizers;
9494

95+
private int $maxInputLength = 20_000;
96+
9597
public function __construct()
9698
{
9799
$this->attributeSanitizers = [
@@ -405,6 +407,19 @@ public function withoutAttributeSanitizer(AttributeSanitizerInterface $sanitizer
405407
return $clone;
406408
}
407409

410+
public function withMaxInputLength(int $maxInputLength): static
411+
{
412+
$clone = clone $this;
413+
$clone->maxInputLength = $maxInputLength;
414+
415+
return $clone;
416+
}
417+
418+
public function getMaxInputLength(): int
419+
{
420+
return $this->maxInputLength;
421+
}
422+
408423
/**
409424
* @return array<string, array<string, true>>
410425
*/

0 commit comments

Comments
 (0)
0